Valid D-Link Certificate Used by Plead Malware Campaigns

A new malware campaign leveraging stolen digital certificates has been discovered by security researchers at cybersecurity firm ESET. The researchers spotted the malware campaign when some of their systems marked several files as suspicious.

Plead Malware Using the Stolen Certificates

It turned out that the flagged files were digitally signed via a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software meaning that the certificate was most likely stolen, the researchers said in their report.

Having confirmed the file’s malicious nature, we notified D-Link, who launched their own investigation into the matter. As a result, the compromised digital certificate was revoked by D-Link on July 3, 2018.

The analysis showed that there are two different malware families abusing the certificate – Plead malware which is a remotely controlled backdoor, and a related password stealing component. According to researchers from TrendMicro, the Plead backdoor is used by a cyber-espionage group known as BlackTech.

Along with the Plead malware samples signed with the stolen D-Link certificate, samples signed via a certificate by a Taiwanese security company, Changing Information Technology Inc, have also been discovered. It appears that the BlackTech hackers are still using the certificate even though it was revoked on July 4, 2017, a year ago.

The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region, the researchers noted.

It should be noted that “the signed Plead malware samples are highly obfuscated with junk code, but the purpose of the malware is similar in all samples: it downloads from a remote server or opens from the local disk a small encrypted binary blob (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: